chmura microsoft - technologia i prawo

of 29 /29
Michał Jaworski Dyrektor ds. Strategii Microsoft sp. z o.o. [email protected] Przetwarzanie w chmurze Microsoft Technologia i prawo

Author: konwent2015

Post on 15-Jan-2017

604 views

Category:

Internet


2 download

Embed Size (px)

TRANSCRIPT

  • Micha Jaworski

    Dyrektor ds. Strategii

    Microsoft sp. z o.o.

    [email protected]

    Przetwarzanie w chmurze MicrosoftTechnologia i prawo

  • Ksigowi

    Prawnicy

  • 2010 Przyszo

    wiatowe sieci

    Rynki wiatowe

    IT + Mechatronika

    Samochd w sieci

    Nowe rda energii

    Zrnicowane

    samochody

    1900 1970

    Lokalny charakter

    Rynki krajowe

    Tylko mechanika

    Zero IT

    Paliwo tanie

    Wyrniajce si

    samochody

    1970 2010

    Otwarcie przemysu

    Rynki regionalneMechanika + Elektronika

    Sie w samochodzie

    Kryzys paliwowy

    Typowe

    samochody

    1900 1970 2010

    Rynek konsumenta

    i regulatoraRynek producentw Integracja przemysu

    http://www.hybridvehicledealer.net/HybridVehicleDealerHybridCarHybridAu.jpg/HybridVehicleDealerHybridCarHybridAu-full.jpghttp://www.hybridvehicledealer.net/HybridVehicleDealerHybridCarHybridAu.jpg/HybridVehicleDealerHybridCarHybridAu-full.jpghttp://images.google.de/imgres?imgurl=http://smggermany.typepad.com/photos/uncategorized/2007/06/07/smartcdi.jpg&imgrefurl=http://www.dasautoblog.com/2007/06/smart_cdi_in_de.html&h=284&w=420&sz=17&hl=de&start=12&tbnid=AikagcyfMArlPM:&tbnh=85&tbnw=125&prev=/images?q=3+liter+auto&gbv=2&ndsp=18&hl=de&sa=Nhttp://images.google.de/imgres?imgurl=http://smggermany.typepad.com/photos/uncategorized/2007/06/07/smartcdi.jpg&imgrefurl=http://www.dasautoblog.com/2007/06/smart_cdi_in_de.html&h=284&w=420&sz=17&hl=de&start=12&tbnid=AikagcyfMArlPM:&tbnh=85&tbnw=125&prev=/images?q=3+liter+auto&gbv=2&ndsp=18&hl=de&sa=N

  • $500M+

  • 6

  • Zagroenia Suby niektrych krajw

    atakujce rzdy i firmy

    Cyber-Terroryzm i wojny

    hybrydowe

    CryptoLocker (2013) and APTs

    at scale

    Rampant Passwords theft and

    abuse

    Pass the Hash becomes part of

    the default playbook

    AV unable to keep up

    Zagroenia Melissa (1999), Love Letter

    (2000)

    Mainly leveraging social

    engineering

    Zagroenia Code Red and Nimda (2001),

    Blaster (2003), Slammer (2003)

    9/11

    Mainly exploiting buffer

    overflows

    Script kiddies

    Time from patch to exploit:

    Several days to weeks

    Zagroenia Zotob (2005)

    Attacks moving up the stack

    (Summer of Office 0-day)

    Rootkits

    Exploitation of Buffer

    Overflows

    Script Kiddies

    Raise of Phishing

    User running as Admin

    Zagroenia Przestpczo

    zorganizowana

    Botnets

    Identity Theft

    Conficker (2008)

    Time from patch to exploit:

    days

    Zagroenia Organized Crime, potential

    state actors

    Sophisticated targeted attacks

    Aurora (2009) and Stuxnet

    (2010)

    Password and digital identity

    theft and misuse

    Signatures based AV unable

    to keep up

    Digital signature tampering

    Browser plug-in exploits

    Data loss on BYOD device

    Windows 10 Virtual Secure Mode

    Virtual TPM

    Control Flow Guard

    Microsoft Passport

    Windows Hello

    Biometric Framework

    Improvements (Iris, Facial)

    Broad OEM support for

    Biometric enabled devices

    Enterprise Data Protection

    Device Encryption supported

    on broader range of devices

    DMA Attack Mitigations

    Device Guard

    URL Reputation Improvements

    App Reputation Improvements

    Windows Defender

    Improvements

    Provable PC Health

    Improvements

    Windows XP Logon (Ctrl+Alt+Del)

    Access Control

    User Profiles

    Security Policy

    Encrypting File System (File

    Based)

    Smartcard and PKI Support

    Windows Update

    Windows XP SP2 Address Space Layout

    Randomization (ASLR)

    Data Execution Prevention

    (DEP)

    Security Development

    Lifecycle (SDL)

    Auto Update on by Default

    Firewall on by Default

    Windows Security Center

    WPA Support

    Windows Vista Bitlocker

    Patchguard

    Improved ASLR and DEP

    Full SDL

    User Account Control

    Internet Explorer Smart Screen

    Filter

    Digital Right Management

    Firewall improvements

    Signed Device Driver

    Requirements

    TPM Support

    Windows Integrity Levels

    Secure by default

    configuration (Windows

    features and IE)

    Windows 7 Improved ASLR and DEP

    Full SDL

    Improved IPSec stack

    Managed Service Accounts

    Improved User Account

    Control

    Enhanced Auditing

    Internet Explorer Smart Screen

    Filter

    AppLocker

    BitLocker to Go

    Windows Biometric Service

    Windows Action Center

    Windows Defender

    Windows 8 Firmware Based TPM

    UEFI (Secure Boot)

    Trusted Boot (w/ELAM)

    Measured Boot

    Significant Improvements to

    ASLR and DEP

    AppContainer

    Windows Store

    Internet Explorer 10 (Plugin-

    less and Enhanced Protected

    Modes)

    Application Reputation moved

    into Core OS

    Device Encryption (All SKU)

    BitLocker improvements and

    MBAM

    Virtual Smartcards

    Dynamic Access Control

    Built-in AV (Windows

    Defender)

    Improved Biometrics

    TPM Key Protection and

    Attestation

    Certificate Reputation

    Provable PC Health

    Remote Business Data

    Removable

    20152001 2004 2007 2009 2012

  • Cloud First

    Mobile First

  • FUNDAMENTWYMAGANIA USTAWOWE

    DZIEDZINAZGODNO, STANDARDY

    ORGANIZACJAZARZDZANIE, ZARZDZANIE RYZYKIEM, ZGODNO, REGULAMINY

    WYMAGANIA I

    WYTYCZNE POLITYKIPRAWO

    FIRMOWYDATACENTER

  • FUNDAMENTWYMAGANIA USTAWOWE

    DZIEDZINAZGODNO, STANDARDY

    ORGANIZACJAZARZDZANIE, ZARZDZANIE RYZYKIEM, ZGODNO, REGULAMINY

    WYMAGANIA I

    WYTYCZNE POLITYKIPRAWO

    MICROSOFTDATACENTER

  • rdo: https://mac.gov.pl/files/chmura_obliczeniowa_w_administracji_publicznej_20141117_1211.pdf

    https://mac.gov.pl/files/chmura_obliczeniowa_w_administracji_publicznej_20141117_1211.pdf

  • THE COURT (GRAND CHAMBER) HEREBY RULES:

    1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.

    2. Decision 2000/520 is invalid.

    rdo: http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=pl&lang2=EN&type=TXT&ancre=

  • wyrok dotyczy wycznie tych transferw danych, ktre byy oparte na odpowiedniociochrony; bez zmian pozostaj natomiast inne podstawy prawne (np. wyjtki okrelonew uodo)

    transfery danych osobowych oparte na mechanizmie Safe Harbor utraciy podstawprawn, a organy ds. ochrony danych osobowych (w tym GIODO) mog nakazawstrzymanie transferu danych osobowych do Stanw Zjednoczonych w przypadkustwierdzenia brak adekwatnoci ochrony i braku spenienia innych jeszczeprzesanek pozwalajcych na przekazywanie danych do tego pastwa (m.in. oparcietransferu na standardowych klauzulach modelowych lub wicych reguach korporacyjne)

    natychmiastowy skutek wyroku - brak grace period, mimo, e we wczeniejszychwyrokach TSUE stwierdzajc niewano decyzji KE, rwnoczenie zawiesza skutkiwyroku do czasu wydania nowej decyzji

    dodatkowe ryzyka prawna dla eksporterw danych (odpowiedzialno administracyjna ikarna)

    rdo: mec. Xawery Konarski, Starszy Partner, Traple Konarski Podrecki i wsplnicy,

    seminarium 20.10.2015, Warszawa

  • In the meantime, transatlantic data flows between companies CAN CONTINUE USING OTHER MECHANISMS for international transfers of personal data available under EU data protection law.

    EU

    First Vice-President Timmermans

    Commissioner Jourov

  • rdo:

    http://prawo.gazetaprawna.pl/artykuly/900582,wiewiorowski-o-

    wyroku-ws-facebooka-to-nie-koniec-swiata-dla-biznesu.html

    () Stany Zjednoczone nie s uznawane

    przez Europ za kraj o adekwatnej ochronie

    danych osobowych, cho w niektrych

    sektorach ycia (np. w stosunku do danych

    medycznych) system amerykaski bywa

    ostrzejszy ni europejski. Przekazywanie

    danych do Stanw Zjednoczonych

    nastpowao dotd nie tylko w oparciu o

    zakwestionowan decyzj o Safe Harbour,

    ale rwnie z wykorzystaniem

    standardowych klauzul umownych,

    wicych regu korporacyjnych czy te

    indywidualnych decyzji europejskich

    organw ochrony danych. Trybuna nie

    uniewani tych narzdzi.

  • Centra Zaufania dla

    produktw

    chmurowych

    Zapisy umw

    List od grupy Art. 29

    w sprawie wdroenia

    standardowych

    klauzul umownych z

    2 kwietnia 2014

  • ISO 27018 provides appropriate technical and organizational measures to protect personal data

    A personal data processor [ np. Microsoft] and the personal data controller [klient] occupy distinct roles in the handling of personal data; the personal data processor supports the personal data controllers compliance with appropriate regulation.

    A successful third-party audit of a personal data processors support for ISO 27018 is a proof of conformance to the standard in support of the customers regulatory obligations.

    PII to be processed under a data processing contract should not be processed for any purpose independent of the instructions of the cloud service customerPII processed under a data processing contract should not be used by the cloud PII processor for the purposes of marketing and advertising without express consent. Such consent should not be a condition of receiving the service.

    Other key 27018 requirements relating to personal data comprise

    Notify the customer of legally binding law enforcement requests to disclose customer data, unless such a disclosure is otherwise prohibited

    Breach notification: notify the customer in the event of any unauthorized access to personal data or to processing equipment or facilities resulting in loss, disclosure or alteration of personal data

    Data deletion after portability: retention period of customer data once contract has terminated (Microsoft do 180 dni)

    Geographic location of data: identify countries where data may be stored.

  • rdo:

    http://blogs.microsoft.com/on-the-issues/2014/05/22/new-success-in-

    protecting-customer-rights-unsealed-today/

    http://blogs.microsoft.com/blog/2014/12/15/business-media-civil-society-

    speak-key-privacy-case/

    http://blogs.microsoft.com/on-the-issues/2014/05/22/new-success-in-protecting-customer-rights-unsealed-today/http://blogs.microsoft.com/blog/2014/12/15/business-media-civil-society-speak-key-privacy-case/

  • Lokalizacja danych jest zapisana w umowach w czci Postanowienia dotyczce prywatnoci i bezpieczestwa

    Klienci mog ograniczy przechowywanie danych osobowych do Europejskiego Obszaru Gospodarczego

    Informacja o lokalizacji jest na naszych stronach np. Office 365http://www.microsoft.com/online/legal/v2/?docid=25&langid=pl-pl

    http://www.microsoft.com/online/legal/v2/?docid=25&langid=pl-pl

  • Azure

    Customer

  • RMS SDK.NET Crypto

    SQL TDE Bitlocker Partners EFS

    Bitlocker StorSimple

  • Physical Security

    Security Best Practices

    Secure Network Layer

    Data Encryption

    Office 365 has over 900 controls

    Today!

    Built-in Capabilities

    Customer Controls

    Office 365 Service | Master GRC Control Sets | Certifications

    DLP

    OME

    SMIME

    RBAC

    RMS

    Account Mgmt.

    Incident Monitoring

    Data Encryption

    Encryption of stored data and more

    Data Minimization & Retention

    New Certs and

    more

    Access Control

    Offic

    e 3

    65 S

    erv

    ices

  • mBank

    Neckermann

    lskie Centrum Chorb Serca

    AmRest

    Merlin.pl

    Grecos Holiday

    Sanmar

    Kancelaria Radcy Prawnego Piotra Skrzypczaka

    Zote Wyprzedae

    Zamek Ksi

    Centrum Nauki Kopernik

    Fundacja Wiosna

    Fundacja Podaj dalej

    Fundacja Aegis

    Stowarzyszenie Kres

    NZS

    Uniwersytet dzki

    Prywatna SP nr 51 w Warszawie

    SP nr 3 w Zbkach

  • Informatyka ostatecznie przestaa by domen inynierw. O IT bd decydowa wzgldy ekonomiczne i regulacje prawne.

    Koszty i spenianie wymaga, ale take technologia i wzgldy bezpieczestwa powoduj, e rozwizania chmurowe staj si dominujce.

    Umiejtnoci techniczne bd miay mniejsze znaczenie w porwnaniu do umiejtnoci poruszania si wrd wymaga prawnych i organizacyjnych.

    Zakres kontroli i odpowiedzialnoci bdzie si rozkada pomidzy uytkownikw i dostawcw chmury.

    Tylko najwiksi dostawcy bd w stanie przetrwa wycig zbroje i wymagania nakadane na IT.

  • Micha Jaworski

    Dyrektor ds. Strategii

    Microsoft sp. z o.o.

    [email protected]

    Bardzo serdecznie dzikuj!